Here is some great ammo to get more budget for IT Security.
Today, the most surprising companies have jumped on the security awareness training bandwagon. Antivirus companies like Sophos, Kaspersky, Webroot and ESET are loudly promoting the fact that end user training is a must.
Well, until recently, the AV industry considered that promoting awareness training was an embarrassing admission that their product was not effective.
By now they seem to have realized that their antivirus product is not the 8220;end-all8221; and really just only one layer of the defense-in-depth puzzle. There is no way that AV tools can be effective protection against social engineering. So, users need to be trained against that type of attack.
An ESET survey conducted this month sought to gain some insight into how much training organizations provided their employees. 17.9% said “a lot,” 32.5% said “some,” 16.3% said “a little,” and a full third, 33%, said “none.”
This is remarkably risky.
The obvious risk is that an organization will find itself compromised. But that might not be the biggest risk. Security training has increasingly become an important part of legal standards of “reasonable” protection measures.
Organizations that fail to provide it expose themselves not only to being hacked, but to civil lawsuits, breach of contract claims, and considerable regulatory penalties.
A number of US states have laws that demand some form of security training. Organizations flout these at their risk. New-school security awareness training that awakens employees to the threat of phishing and other forms of social engineering is an important and surprisingly affordable way of managing risks like that.
All these above factors are excellent ammo to get more budget, and the one thing that gives you maximum bang for your buck is training. The first comment that will come out of your user’s mouth is: ‘How do I share this with my family?” We have an answer for that. And… phishing your users simply is a lot of fun!